Hallo zusammen,
nachdem ich das Komplett- Image 1.7.1 aufgespielt habe läuft nun wieder alles bis auf die Anzeige der Wetterdaten von Yr.no.
Hierzu kommt der folgender Fehler im Nginx Error.log. Meinem Verständnis nach, werden die Anfragen der Wetterdaten vom Raspi zum Internet blockiert.
Konfiguration:
Smarthome und NGINX laufen auf einen Raspi3.
Smartvisu, Webservice und Alexa laufen ansonsten normal.
Die Pakete des WakeonLAN Plugins kommen aktuell auch nicht an aber ich weiß nicht ob das damit zusammenhängt.
Viele Grüße
Christian
Hier meine NGINX Konfigs ...
Default
https.conf
nginx.conf
nachdem ich das Komplett- Image 1.7.1 aufgespielt habe läuft nun wieder alles bis auf die Anzeige der Wetterdaten von Yr.no.
Hierzu kommt der folgender Fehler im Nginx Error.log. Meinem Verständnis nach, werden die Anfragen der Wetterdaten vom Raspi zum Internet blockiert.
Konfiguration:
Smarthome und NGINX laufen auf einen Raspi3.
Smartvisu, Webservice und Alexa laufen ansonsten normal.
Die Pakete des WakeonLAN Plugins kommen aktuell auch nicht an aber ich weiß nicht ob das damit zusammenhängt.
Viele Grüße
Christian
Code:
2020/10/29 07:02:53 [error] 23113#23113: *29 upstream timed out (110: Connection timed out) while reading response header from upstream, client: 127.0.0.1, server: xxxxx.yyy.com, request: "GET /smartvisu/lib/weather/service/yr.no.php?location=Germany%2FBaden-W%C3%BCrtemberg%2FOffenburg%2F&cache_duration_minu tes=15 HTTP/1.1", upstream: "fastcgi://unix:/var/run/php/php7.3-fpm.sock", host: "xxxxx.yyy.com", referrer: "https://xxxxx.yyy.com/smartvisu/index.php" 2020/10/29 07:02:53 [error] 23113#23113: *31 upstream timed out (110: Connection timed out) while reading response header from upstream, client: 127.0.0.1, server: xxxxx.yyy.com, request: "GET /smartvisu/lib/weather/service/yr.no.php?location=Germany%2FBaden-W%C3%BCrtemberg%2FOffenburg%2F&cache_duration_minu tes=180 HTTP/1.1", upstream: "fastcgi://unix:/var/run/php/php7.3-fpm.sock", host: "xxxxx.yyy.com", referrer: "https://xxxxx.yyy.com/smartvisu/index.php" 2020/10/29 07:08:18 [error] 23112#23112: *69 upstream timed out (110: Connection timed out) while reading response header from upstream, client: 192.168.178.79, server: xxxxx.yyy.com, request: "GET /smartvisu/lib/weather/service/yr.no.php?location=Germany%2FBayern%2FW%C3%BCrzbur g&cache_duration_minutes=15 HTTP/1.1", upstream: "fastcgi://unix:/var/run/php/php7.3-fpm.sock", host: "192.168.178.50", referrer: "http://192.168.178.50/smartvisu/index.php" 2020/10/29 07:08:18 [error] 23112#23112: *68 upstream timed out (110: Connection timed out) while reading response header from upstream, client: 192.168.178.79, server: xxxxx.yyy.com, request: "GET /smartvisu/lib/weather/service/yr.no.php?location=Germany%2FBayern%2FW%C3%BCrzbur g&cache_duration_minutes=180 HTTP/1.1", upstream: "fastcgi://unix:/var/run/php/php7.3-fpm.sock", host: "192.168.178.50", referrer: "http://192.168.178.50/smartvisu/index.php"
Hier meine NGINX Konfigs ...
Default
Code:
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
upstream websocket {
server 127.0.0.1:2424;
}
upstream mainhost {
server 127.0.0.1;
keepalive 20;
}
upstream sv {
server 127.0.0.1;
keepalive 20;
}
upstream alexa {
server 127.0.0.1:9000;
}
upstream shng {
server 127.0.0.1:8383;
}
upstream nodered {
server 127.0.0.1:1880;
}
upstream shnet {
server 127.0.0.1:8888;
}
upstream monithost {
server 127.0.0.1:2812;
}
upstream grafanahost {
server 127.0.0.1:3000;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
include /etc/nginx/snippets/letsencrypt.conf;
root /var/www/html;
# Auf HTTPS umleiten
if ($http_x_forwarded_proto = "http") {
return 301 https://$server_name$request_uri;
}
## Blocken, wenn Zugriff aus einem nicht erlaubten Land erfolgt ##
if ($allowed_country = no) {
return 403;
}
# https://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html
## Block download agents ##
if ($http_user_agent ~* LWP::Simple|BBBike|wget) {
return 403;
}
## Block some robots ##
if ($http_user_agent ~* msnbot|scrapbot) {
return 403;
}
## Deny certain Referers ##
if ( $http_referer ~* (babes|forsale|girl|jewelry|love|nudit|organic|pok er|porn|sex|teen) )
{
return 403;
}
access_log /var/log/nginx/access.log specialLog;
error_log /var/log/nginx/error.log;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html index.php;
server_name xxxxx.yyy.com;
# Skip^1 caching variable init
set $nocache 0;
# Bypass^2 caching variable init
set $purgecache 0;
# Bypass^2 cache on no-cache (et al.) browser request
#if ($http_cache_control ~ "max-age=0")
# { set $purgecache 1; }
#if ($http_cache_control ~ "no-cache")
# { set $purgecache 1; }
# Bypass^2 cache with custom header set on request
#if ($http_x_cache_purge ~* "true")
# { set $purgecache 1; }
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
if ($http_upgrade = websocket) {
proxy_pass http://websocket;
}
}
# pass PHP scripts to FastCGI server
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
#fastcgi_read_timeout 2400;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
include /etc/nginx/headers.conf;
expires 7d;
add_header Cache-Control "public, no-transform";
}
location ~* favicon|apple-touch-icon|android-chrome-|mstile-|safari-pinned-tab.svg|browserconfig.xml|manifest.json|apple-icon|ms-icon|android-icon|mstile {
try_files $uri @favicons;
}
location @favicons {
rewrite ^/(.+)$ /favicons/$1 last;
}
location /visu_websocket/ {
include /etc/nginx/headers.conf;
satisfy any;
auth_basic "Restricted Area: Smarthome NG Backend";
auth_basic_user_file /etc/nginx/.shng;
allow 127.0.0.1;
allow 192.168.0.0/16;
allow 10.0.0.0/16;
allow ::1;
deny all;
proxy_ignore_client_abort on;
proxy_pass http://$host:8383;
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
include /etc/nginx/headers.conf;
expires 7d;
add_header Cache-Control "public, no-transform";
proxy_pass http://$host:8383;
}
}
location /api/ {
include /etc/nginx/headers.conf;
satisfy any;
auth_basic "Restricted Area: Smarthome NG Backend";
auth_basic_user_file /etc/nginx/.shng;
allow 127.0.0.1;
allow 192.168.0.0/16;
allow 10.0.0.0/16;
allow ::1;
deny all;
proxy_ignore_client_abort on;
proxy_pass http://$host:8383;
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
include /etc/nginx/headers.conf;
expires 7d;
add_header Cache-Control "public, no-transform";
proxy_pass http://$host:8383;
}
}
location /admin/ {
include /etc/nginx/headers.conf;
satisfy any;
#auth_basic "Restricted Area: Smarthome NG Backend";
#auth_basic_user_file /etc/nginx/.shng;
allow 127.0.0.1;
allow 192.168.0.0/16;
allow 10.0.0.0/16;
allow ::1;
deny all;
proxy_pass http://$host:8383;
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
include /etc/nginx/headers.conf;
expires 7d;
add_header Cache-Control "public, no-transform";
proxy_pass http://$host:8383;
}
}
location /backend/ {
include /etc/nginx/headers.conf;
satisfy any;
#auth_basic "Restricted Area: Smarthome NG Backend";
#auth_basic_user_file /etc/nginx/.shng;
allow 127.0.0.1;
allow 192.168.0.0/16;
allow 10.0.0.0/16;
allow ::1;
deny all;
proxy_pass http://$host:8383;
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
include /etc/nginx/headers.conf;
expires 7d;
add_header Cache-Control "public, no-transform";
proxy_pass http://$host:8383;
}
}
location /gstatic/ {
include /etc/nginx/headers.conf;
satisfy any;
#auth_basic "Restricted Area: Smarthome NG Backend";
#auth_basic_user_file /etc/nginx/.shng;
allow 127.0.0.1;
allow 192.168.0.0/16;
allow 10.0.0.0/16;
allow ::1;
deny all;
proxy_pass http://$host:8383;
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
include /etc/nginx/headers.conf;
expires 7d;
add_header Cache-Control "public, no-transform";
proxy_pass http://$host:8383;
}
}
# Network Plugin Weiterleitung
location /shnet/ {
include /etc/nginx/headers.conf;
satisfy any;
auth_basic "Restricted Area: Smarthome NG Network";
auth_basic_user_file /etc/nginx/.shng;
allow 127.0.0.1;
allow 192.168.0.0/16;
allow 10.0.0.0/16;
allow ::1;
deny all;
proxy_pass http://shnet;
rewrite ^/shnet/(.*) /$1 break;
}
# Nodered Weiterleitung
location /nodered/ {
include /etc/nginx/headers.conf;
satisfy any;
#auth_basic "Restricted Area: Smarthome NG Network";
#auth_basic_user_file /etc/nginx/.shng;
allow 127.0.0.1;
allow 192.168.0.0/16;
allow 10.0.0.0/16;
allow ::1;
deny all;
proxy_pass http://nodered;
#rewrite ^/nodered/(.*) /$1 break;
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
include /etc/nginx/headers.conf;
expires 7d;
add_header Cache-Control "public, no-transform";
proxy_pass http://nodered;
}
}
# Weiterleitung zu Grafana
location /grafana/ {
satisfy any;
allow 127.0.0.1;
allow 10.0.0.0/8;
allow 192.168.0.0/16;
# auth_basic "Restricted Area: Monit";
# auth_basic_user_file /etc/nginx/.monit;
allow ::1;
deny all;
proxy_pass http://grafanahost/;
include /etc/nginx/headers.conf;
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
rewrite ^/grafana/(.*) /$1 break;
include /etc/nginx/headers.conf;
expires 7d;
add_header Cache-Control "public, no-transform";
proxy_pass http://grafanahost;
}
}
# Weiterleitung zu Monit
location /monit/ {
satisfy any;
allow 127.0.0.1;
allow 10.0.0.0/8;
allow 192.168.0.0/16;
allow ::1;
#auth_basic "Restricted Area: Monit";
#auth_basic_user_file /etc/nginx/.monit;
deny all;
proxy_ignore_client_abort on;
rewrite ^/monit/(.*) /$1 break;
proxy_pass http://monithost;
include /etc/nginx/headers.conf;
location ~* favicon.ico {
alias /var/www/html/favicon/monit/favicon.ico;
}
}
location /phpmyadmin {
root /usr/share/;
index index.php index.html index.htm;
location ~ ^/phpmyadmin/(.+\.php)$ {
alias /usr/share/phpmyadmin/$1;
fastcgi_pass unix:/run/php/php7.3-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $request_filename;
# From fastcgi_params
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT /usr/share/phpmyadmin; # <-- Changed
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param REDIRECT_STATUS 200;
fastcgi_intercept_errors on;
fastcgi_buffers 8 16k;
fastcgi_buffer_size 32k;
fastcgi_connect_timeout 900;
fastcgi_send_timeout 900;
fastcgi_read_timeout 900;
}
location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
root /usr/share/;
}
}
# Dealing with the uppercased letters
location /phpMyAdmin {
rewrite ^/* /phpmyadmin last;
}
}
Code:
server {
set $nw_port 8888;
set $backend_port 8383;
set $red_port 1880;
server_tokens off;
## Blocken, wenn Zugriff aus einem nicht erlaubten Land erfolgt ##
if ($allowed_country = no) {
return 403;
}
# https://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html
## Block download agents ##
if ($http_user_agent ~* LWP::Simple|BBBike|wget) {
return 403;
}
## Block some robots ##
if ($http_user_agent ~* msnbot|scrapbot) {
return 403;
}
## Deny certain Referers ##
if ( $http_referer ~* (babes|forsale|girl|jewelry|love|nudit|organic|pok er|porn|sex|teen) )
{
return 403;
}
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name xxxxx.yyy.com;
##
# SSL
##
## Activate SSL, setze SERVER Zertifikat Informationen ##
# Generiert via Let's Encrypt!
ssl_certificate /etc/letsencrypt/live/xxxxx.yyy.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xxxxx.yyy.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/xxxxx.yyy.com/fullchain.pem;
ssl_session_cache builtin:1000 shared:SSL:60m;
ssl_prefer_server_ciphers on;
# unsichere SSL Ciphers deaktivieren!
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:D[URL="https://knx-user-forum.de/core/image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw=="]https://knx-user-forum.de/core/image...EAAAICRAEAOw==[/URL]HE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:D[URL="https://knx-user-forum.de/core/image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw=="]https://knx-user-forum.de/core/image...EAAAICRAEAOw==[/URL]HE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1;
ssl_protocols TLSv1.2;
ssl_session_timeout 60m;
ssl_session_tickets on;
ssl_session_ticket_key /etc/nginx/nginx_ticketkey;
#ssl_buffer_size 16k; #for throughput, video applications
ssl_buffer_size 4k; #for quick first byte delivery
# Client Zertifikat spezifisch
ssl_client_certificate /etc/ssl/ca/certs/ca.crt;
ssl_crl /etc/ssl/ca/private/ca.crl;
ssl_verify_client optional;
ssl_dhparam /etc/ssl/ca/dh.pem;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
client_body_buffer_size 8K;
client_max_body_size 20m;
client_body_timeout 10s;
client_header_buffer_size 1k;
large_client_header_buffers 2 16k;
client_header_timeout 15s;
##
# global
##
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.php;
# Proxy Caching
# Skip^1 caching variable init
set $nocache 0;
# Bypass^2 caching variable init
set $purgecache 0;
# Bypass^2 cache on no-cache (et al.) browser request
if ($http_cache_control ~ "max-age=0")
{ set $purgecache 1; }
if ($http_cache_control ~ "no-cache")
{ set $purgecache 1; }
# Bypass^2 cache with custom header set on request
if ($http_x_cache_purge ~* "true")
{ set $purgecache 1; }
location ~* favicon|apple-touch-icon|android-chrome-|mstile-|safari-pinned-tab.svg|browserconfig.xml|manifest.json|apple-icon|ms-icon|android-icon|mstile {
try_files $uri @favicons;
}
location @favicons {
rewrite ^/(.+)$ /favicons/$1 last;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|xml)$ {
include /etc/nginx/headers.conf;
expires 7d;
add_header Cache-Control "public, no-transform";
# This script tests the SSL certificate and enables Websocket access with Apple devices.
# If you want to limit your access to devices with certificates (recommended!), don't remove this line!
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
}
# Weiterleitung zu SmartHomeNG (Websocket Schnittstelle) mit Basic Auth
location = / {
include /etc/nginx/headers.conf;
satisfy any;
auth_basic "Restricted Area";
auth_basic_user_file /etc/nginx/.smartvisu;
allow 127.0.0.1;
allow 192.168.0.0/16;
allow 10.0.0.0/16;
allow ::1;
deny all;
# This script tests the SSL certificate and enables Websocket access with Apple devices.
# If you want to limit your access to devices with certificates (recommended!), don't remove this line!
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
# Nur Websocket Verbindungen gegen "/" durchlassen!
if ($http_upgrade = websocket) {
proxy_pass [url]http://websocket;[/url]
}
}
# Zugriff auf die smartVISU mit Basic Auth
location /smartvisu {
include /etc/nginx/headers.conf;
satisfy any;
#auth_basic "Restricted Area: smartVISU2.9";
#auth_basic_user_file /etc/nginx/.smartvisu;
allow 127.0.0.1;
allow 192.168.0.0/16;
allow 10.0.0.0/16;
allow ::1;
deny all;
# This script tests the SSL certificate and enables Websocket access with Apple devices.
# If you want to limit your access to devices with certificates (recommended!), don't remove this line!
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
#This is alternative to the lua script but doesn't work with Apple devices.
#if ($ssl_client_verify != SUCCESS) {
# return 403;
#}
proxy_pass [url]http://sv/smartvisu;[/url]
}
# Zugriff auf die smartVISU 2.8 mit Basic Auth
location /smartvisu2.8 {
include /etc/nginx/headers.conf;
satisfy any;
#auth_basic "Restricted Area: smartVISU2.8";
#auth_basic_user_file /etc/nginx/.smartvisu;
allow 127.0.0.1;
allow 192.168.0.0/16;
allow 10.0.0.0/16;
allow ::1;
deny all;
# This script tests the SSL certificate and enables Websocket access with Apple devices.
# If you want to limit your access to devices with certificates (recommended!), don't remove this line!
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
proxy_pass [url]http://sv/smartvisu2.8;[/url]
}
# Zugriff auf WebService
location /ws/ {
include /etc/nginx/headers.conf;
satisfy any;
auth_basic "Restricted Area: SmarthomeNG";
auth_basic_user_file /etc/nginx/.shng;
allow 127.0.0.1;
allow 192.168.0.0/16;
allow 10.0.0.0/16;
allow ::1;
deny all;
# This script tests the SSL certificate and enables Websocket access with Apple devices.
# If you want to limit your access to devices with certificates (recommended!), don't remove this line!
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
proxy_pass http://$server_addr:8383;
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
include /etc/nginx/headers.conf;
expires 7d;
add_header Cache-Control "public, no-transform";
proxy_pass http://$server_addr:$red_port;
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
}
}
# Alexa Plugin Weiterleitung
location /alexa/ {
include /etc/nginx/headers.conf;
satisfy any;
auth_basic "Restricted Area: Alexa";
auth_basic_user_file /etc/nginx/.alexa;
allow 127.0.0.1;
allow 192.168.0.0/16;
allow 10.0.0.0/16;
allow ::1;
deny all;
# This script tests the SSL certificate and enables Websocket access with Apple devices.
# If you want to limit your access to devices with certificates (recommended!), don't remove this line!
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
proxy_pass [url]http://alexa;[/url]
}
# Backend Plugin Weiterleitung
location /gstatic/ {
include /etc/nginx/headers.conf;
satisfy any;
#auth_basic "Restricted Area: Smarthome NG Backend";
#auth_basic_user_file /etc/nginx/.shng;
proxy_set_header Authorization "Basic c21hcnRob21lCg==";
# Create your base64 Passwort on the commandline: openssl enc -base64 <<< '<PASSWORD>'
allow 127.0.0.1;
allow 192.168.0.0/16;
allow 10.0.0.0/16;
allow ::1;
deny all;
# This script tests the SSL certificate and enables Websocket access with Apple devices.
# If you want to limit your access to devices with certificates (recommended!), don't remove this line!
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
include /etc/nginx/headers.conf;
expires 7d;
add_header Cache-Control "public, no-transform";
proxy_pass http://$server_addr:$backend_port;
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
}
proxy_pass http://$server_addr:$backend_port;
}
location /visu_websocket/ {
include /etc/nginx/headers.conf;
satisfy any;
auth_basic "Restricted Area: Smarthome NG Backend";
#auth_basic_user_file /etc/nginx/.shng;
#proxy_set_header Authorization "Basic c21hcnRob21lCg==";
# Create your base64 Passwort on the commandline: openssl enc -base64 <<< '<PASSWORD>'
allow 127.0.0.1;
allow 192.168.0.0/16;
allow 10.0.0.0/16;
allow ::1;
deny all;
# This script tests the SSL certificate and enables Websocket access with Apple devices.
# If you want to limit your access to devices with certificates (recommended!), don't remove this line!
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
include /etc/nginx/headers.conf;
expires 7d;
add_header Cache-Control "public, no-transform";
proxy_pass http://$server_addr:$backend_port;
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
}
proxy_pass http://$server_addr:$backend_port;
}
location /api/ {
include /etc/nginx/headers.conf;
satisfy any;
#auth_basic "Restricted Area: Smarthome NG Backend";
#auth_basic_user_file /etc/nginx/.shng;
proxy_set_header Authorization "Basic c21hcnRob21lCg==";
# Create your base64 Passwort on the commandline: openssl enc -base64 <<< '<PASSWORD>'
allow 127.0.0.1;
allow 192.168.0.0/16;
allow 10.0.0.0/16;
allow ::1;
deny all;
# This script tests the SSL certificate and enables Websocket access with Apple devices.
# If you want to limit your access to devices with certificates (recommended!), don't remove this line!
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
include /etc/nginx/headers.conf;
expires 7d;
add_header Cache-Control "public, no-transform";
proxy_pass http://$server_addr:$backend_port;
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
}
proxy_pass http://$server_addr:$backend_port;
}
location /admin/ {
include /etc/nginx/headers.conf;
satisfy any;
#auth_basic "Restricted Area: Smarthome NG Backend";
#auth_basic_user_file /etc/nginx/.shng;
proxy_set_header Authorization "Basic c21hcnRob21lCg==";
# Create your base64 Passwort on the commandline: openssl enc -base64 <<< '<PASSWORD>'
allow 127.0.0.1;
allow 192.168.0.0/16;
allow 10.0.0.0/16;
allow ::1;
deny all;
# This script tests the SSL certificate and enables Websocket access with Apple devices.
# If you want to limit your access to devices with certificates (recommended!), don't remove this line!
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
include /etc/nginx/headers.conf;
expires 7d;
add_header Cache-Control "public, no-transform";
proxy_pass http://$server_addr:$backend_port;
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
}
proxy_pass http://$server_addr:$backend_port;
}
location /backend/ {
include /etc/nginx/headers.conf;
satisfy any;
#auth_basic "Restricted Area: Smarthome NG Backend";
#auth_basic_user_file /etc/nginx/.shng;
proxy_set_header Authorization "Basic c21hcnRob21lCg==";
# Create your base64 Passwort on the commandline: openssl enc -base64 <<< '<PASSWORD>'
allow 127.0.0.1;
allow 192.168.0.0/16;
allow 10.0.0.0/16;
allow ::1;
deny all;
# This script tests the SSL certificate and enables Websocket access with Apple devices.
# If you want to limit your access to devices with certificates (recommended!), don't remove this line!
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
include /etc/nginx/headers.conf;
expires 7d;
add_header Cache-Control "public, no-transform";
proxy_pass http://$server_addr:$backend_port;
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
}
proxy_pass http://$server_addr:$backend_port;
}
# Network Plugin Weiterleitung
location /shnet/ {
include /etc/nginx/headers.conf;
satisfy any;
#auth_basic "Restricted Area: Smarthome NG Network";
#auth_basic_user_file /etc/nginx/.shng;
proxy_set_header Authorization "Basic c21hcnRob21lCg==";
# Create your base64 Passwort on the commandline: openssl enc -base64 <<< '<PASSWORD>'
allow 127.0.0.1;
allow 192.168.0.0/16;
allow 10.0.0.0/16;
allow ::1;
deny all;
# This script tests the SSL certificate and enables Websocket access with Apple devices.
# If you want to limit your access to devices with certificates (recommended!), don't remove this line!
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
rewrite ^/shnet/(.*) /$1 break;
proxy_pass http://$server_addr:$nw_port;
}
# Weiterleitung zu Grafana
location /grafana/ {
satisfy any;
allow 127.0.0.1;
allow 10.0.0.0/8;
allow 192.168.0.0/16;
# auth_basic "Restricted Area: Monit";
# auth_basic_user_file /etc/nginx/.monit;
allow ::1;
deny all;
# This script tests the SSL certificate and enables Websocket access with Apple devices.
# If you want to limit your access to devices with certificates (recommended!), don't remove this line!
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
proxy_pass [url]http://grafanahost/;[/url]
include /etc/nginx/headers.conf;
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
rewrite ^/grafana/(.*) /$1 break;
include /etc/nginx/headers.conf;
expires 7d;
add_header Cache-Control "public, no-transform";
proxy_pass [url]http://grafanahost;[/url]
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
}
}
# Weiterleitung zu Monit
location /monit/ {
satisfy any;
allow 127.0.0.1;
allow 10.0.0.0/8;
allow 192.168.0.0/16;
# auth_basic "Restricted Area: Monit";
# auth_basic_user_file /etc/nginx/.monit;
allow ::1;
deny all;
# This script tests the SSL certificate and enables Websocket access with Apple devices.
# If you want to limit your access to devices with certificates (recommended!), don't remove this line!
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
rewrite ^/monit/(.*) /$1 break;
proxy_pass [url]http://monithost;[/url]
include /etc/nginx/headers.conf;
location ~* favicon.ico {
alias /var/www/html/favicon/monit/favicon.ico;
}
}
# Weiterleitung zu Monitgraph
location /monitgraph/ {
satisfy any;
allow 127.0.0.1;
allow 10.0.0.0/8;
allow 192.168.0.0/16;
# auth_basic "Restricted Area: Monitgraph";
# auth_basic_user_file /etc/nginx/.monit;
allow ::1;
deny all;
# This script tests the SSL certificate and enables Websocket access with Apple devices.
# If you want to limit your access to devices with certificates (recommended!), don't remove this line!
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
proxy_pass [url]http://mainhost/monitgraph/;[/url]
include /etc/nginx/headers.conf;
}
# Weiterleitung zu phpmydmin
location /phpmyadmin/ {
satisfy any;
allow 127.0.0.1;
allow 10.0.0.0/8;
allow 192.168.0.0/16;
# auth_basic "Restricted Area: PHP MyAdmin";
# auth_basic_user_file /etc/nginx/.monit;
allow ::1;
deny all;
# This script tests the SSL certificate and enables Websocket access with Apple devices.
# If you want to limit your access to devices with certificates (recommended!), don't remove this line!
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
proxy_pass [url]http://mainhost/phpmyadmin/;[/url]
include /etc/nginx/headers.conf;
}
}
Code:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
log_format specialLog '[$time_local] $remote_addr forwarded for $http_x_real_ip - '
'Request: "$request" - Status: $status - Bytes sent: $body_bytes_sent '
'Referrer: "$http_referer" - User Agent: "$http_user_agent"';
##
# Basic Settings
##
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/proxy_params;
include /etc/nginx/fastcgi_params;
##
# SSL Settings
##
ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log specialLog buffer=64K;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gunzip on;
gzip_static on;
gzip_comp_level 2;
gzip_proxied any;
gzip_types application/javascript application/json application/vnd.ms-fontobject application/x-font-ttf image/svg+xml text/css text/plain text/xml;
gzip_vary on;
gzip_buffers 16 8k;
gzip_http_version 1.1;
##
# GeoIP Settings
# Nur Länder aus erlaubten IP Bereichen dürfen den ReverseProxy
# passieren!
# https://www.howtoforge.de/anleitung/nginx-besucher-mit-dem-geoip-modul-nach-landern-blocken-debianubuntu/
##
geoip_country /usr/share/GeoIP/GeoIP.dat;
map $geoip_country_code $allowed_country {
default yes;
BY no;
BR no;
KP no;
KR no;
RS no;
RO no;
RU no;
CN no;
CD no;
NE no;
GH no;
IQ no;
IR no;
SY no;
UA no;
HK no;
JP no;
SC no;
}
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
##
# Harden nginx against DDOS
##
client_header_timeout 10;
client_body_timeout 10;
}
Kommentar